Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using Azure CLI.
Note
If your organization has outsourced management functions to a service provider who uses Azure Lighthouse, role assignments authorized by that service provider won't be shown here. Similarly, users in the service provider tenant won't see role assignments for users in a customer's tenant, regardless of the role they've been assigned.
Prerequisites
List role assignments for a user
To list the role assignments for a specific user, use az role assignment list:
az role assignment list --assignee {assignee}
By default, only role assignments for the current subscription will be displayed. To view role assignments for the current subscription and below, add the --all parameter. To include role assignments at parent scopes, add the --include-inherited parameter. To include role assignments for groups of which the user is a member transitively, add the --include-groups parameter.
The following example lists the role assignments that are assigned directly to the patlong@contoso.com user:
az role assignment list --all --assignee patlong@contoso.com --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
{
"principalName": "patlong@contoso.com",
"roleDefinitionName": "Backup Operator",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
},
{
"principalName": "patlong@contoso.com",
"roleDefinitionName": "Virtual Machine Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
}
]
List role assignments for a resource group
To list the role assignments that exist at a resource group scope, use az role assignment list:
az role assignment list --resource-group {resourceGroup}
The following example lists the role assignments for the pharma-sales resource group:
az role assignment list --resource-group pharma-sales --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
{
"principalName": "patlong@contoso.com",
"roleDefinitionName": "Backup Operator",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
},
{
"principalName": "patlong@contoso.com",
"roleDefinitionName": "Virtual Machine Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
},
...
]
List role assignments for a subscription
To list all role assignments at a subscription scope, use az role assignment list. To get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use az account list.
az role assignment list --scope "/subscriptions/{subscriptionId}"
Example:
az role assignment list --scope "/subscriptions/00000000-0000-0000-0000-000000000000" --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
{
"principalName": "admin@contoso.com",
"roleDefinitionName": "Owner",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
},
{
"principalName": "Subscription Admins",
"roleDefinitionName": "Owner",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
},
{
"principalName": "alain@contoso.com",
"roleDefinitionName": "Reader",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
},
...
]
List role assignments for a management group
To list all role assignments at a management group scope, use az role assignment list. To get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use az account management-group list.
az role assignment list --scope /providers/Microsoft.Management/managementGroups/{groupId}
Example:
az role assignment list --scope /providers/Microsoft.Management/managementGroups/sales-group --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
{
"principalName": "admin@contoso.com",
"roleDefinitionName": "Owner",
"scope": "/providers/Microsoft.Management/managementGroups/sales-group"
},
{
"principalName": "alain@contoso.com",
"roleDefinitionName": "Reader",
"scope": "/providers/Microsoft.Management/managementGroups/sales-group"
}
]
List role assignments for a managed identity
Follow these steps:
Get the principal ID of the system-assigned or user-assigned managed identity.
To get the principal ID of a user-assigned managed identity, you can use az ad sp list or az identity list.
az ad sp list --display-name "{name}" --query [].id --output tsvTo get the principal ID of a system-assigned managed identity, you can use az ad sp list.
az ad sp list --display-name "{vmname}" --query [].id --output tsvTo list the role assignments, use az role assignment list.
By default, only role assignments for the current subscription will be displayed. To view role assignments for the current subscription and below, add the
--allparameter. To view inherited role assignments, add the--include-inheritedparameter.az role assignment list --assignee {objectId}